On the 12th of September 2023, SAP Security Patch Day saw the release of 13 new Security Notes.
There were 5 updates to previously released Security Notes.
Notes by severity
| HotNews | 5 |
| Correction with high priority | 2 |
| Correction with medium priority | 9 |
| Correction with low priority | 2 |
Highlights
On September Patch Day SAP presents 7 high-severity Notes, 5 of them are HotNews and 2 are rated as a correction with high priority.
We will start our digest for today with the usual Google Chromium browser Security update – Note 2622660 – Security updates for the browser control Google Chromium delivered with SAP Business Client – with CVSS Score of 10. This note has been re-released with updated ‘Solution’ and ‘Support Packages & Patches’ information.
BusinessObjects Business Intelligence Platform receives two critical security improvements:
The first is Note 3320355 – Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management) – with a CVSS Score of 9.9.
Under certain conditions, SAP BusinessObjects Business Intelligence Platform (Promotion Management) allows an authenticated attacker to read sensitive information that would otherwise be restricted. With successful exploitation, the attacker can entirely compromise the application, significantly impacting confidentiality, integrity, and availability.
The second is Note 3370490 – Insufficient File type validation in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) – with a CVSS Score of 8.7.
SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) allows a report creator to transfer files from the local system into the report across the network due to insufficient file type validation. When uploading an image file, an authenticated attacker might intercept the request, change the content type and extension, and access and modify sensitive data, putting the application’s security and integrity at risk.
There is a 3245526 Note update also – Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC) – with a CVSS Score of 9.9.
In some cases, SAP Business Objects Business Intelligence Platform (CMC) Program Object execution might result in a code injection vulnerability, allowing an attacker to get access to resources that are only accessible with additional privileges. A successful attack could have a significant impact on the system’s confidentiality, integrity, and availability.
This note has been re-released with updated ‘Support Packages & Patches’ information with updated patch levels.
At first glance, SAP NetWeaver AS Java Note receives highly-prioritised update as well. However, no additional actions from your side are required due to this security note was taken back inadvertently.
Note 3273480 – Improper access control in SAP NetWeaver AS Java (User Defined Search) – with a CVSS Score of 9.9. This security note was taken back inadvertently and has been re-released without any changes. No additional customer action is required.
And for the last, SAP CommonCryptoLib get two important security corrections:
Note 3340576 – Missing Authorization check in SAP CommonCryptoLib – with a CVSS Score of 9.8.
SAP CommonCryptoLib fails to conduct required authentication checks, which may result in missing or incorrect permission checks for an authenticated user, resulting in privilege escalation. Depending on the program and the amount of access obtained, an attacker could read, edit, or delete restricted data as well as exploit capabilities restricted to a certain user group.
Note 3327896 – Memory Corruption vulnerability in SAP CommonCryptoLib – with a CVSS Score of 7.5.
An unauthenticated attacker can utilize SAP CommonCryptoLib to design a request that, when submitted to an open port, causes a memory corruption issue in a library, causing the target component to crash and become unavailable. There is no way to access or change any information.
We highly recommend you to pay special attention to them, as If these corrections for SAP CommonCryptoLib affect a decent amount of areas, such as ABAP, HANA systems and more if in use. If these vulnerabilities will be exploited, the systems confidentiality will most likely be compromised.
Summary
| SAP Component | Number | Description | Priority | CVSS | CVSS Vector |
|---|---|---|---|---|---|
| BC-FES-BUS-DSK | 2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client | HotNews |
10.0
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| BI-BIP-LCM | 3320355 | [CVE-2023-40622] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Promotion Management) | HotNews |
9.9
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| BC-XI-CON-UDS | 3273480 | [CVE-2022-41272] Improper access control in SAP NetWeaver AS Java (User Defined Search) | HotNews |
9.9
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L |
| BI-BIP-CMC | 3245526 | [CVE-2023-25616] Code Injection vulnerability in SAP Business Objects Business Intelligence Platform (CMC) | HotNews |
9.9
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| BC-IAM-SSO-CCL | 3340576 | [CVE-2023-40309] Missing Authorization check in SAP CommonCryptoLib | HotNews |
9.8
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| BI-RA-WBI-FE | 3370490 | [CVE-2023-42472] Insufficient File type validation in SAP BusinessObjects Business Intelligence Platform (Web Intelligence HTML interface) | high |
8.7
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N |
| BC-IAM-SSO-CCL | 3327896 | [CVE-2023-40308] Memory Corruption vulnerability in SAP CommonCryptoLib | high |
7.5
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| BC-SYB-PD | 3357163 | [CVE-2023-40621] Code Injection vulnerability in SAP PowerDesigner Client | medium |
6.3
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L |
| BI-BIP-INS | 3317702 | [CVE-2023-40623] Arbitrary File Delete via Directory Junction in SAP BusinessObjects Suite(installer) | medium |
6.2
|
CVSS:3.0/AV:A/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:H |
| MM-FIO-PUR-REQ-SSP | 3156972 | [CVE-2023-40306] URL Redirection vulnerability in SAP S/4HANA (Manage Catalog Items and Cross-Catalog search) | medium |
6.1
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| CA-UI5-COR | 3149794 | Cross-Site Scripting (XSS) vulnerabilities in jQuery-UI library bundled with SAPUI5 | medium |
6.1
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| FS-QUO | 3349805 | Denial of service (DOS) vulnerability due to the usage of vulnerable version of Commons FileUpload in SAP Quotation Management Insurance (FS-QUO) | medium |
5.7
|
CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| BC-WD-UR | 3323163 | [CVE-2023-40624] Code Injection vulnerability in SAP NetWeaver AS ABAP (applications based on Unified Rendering) | medium |
5.5
|
CVSS:/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L |
| MM-FIO-PUR-SQ-CON | 3326361 | [CVE-2023-40625] Missing Authorization check in Manage Purchase Contracts App | medium |
5.4
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
| BI-BIP-LCM | 3352453 | [CVE-2023-37489] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Version Management System) | medium |
5.3
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| BC-GP | 3348142 | [CVE-2023-41367] Missing Authentication check in SAP NetWeaver (Guided Procedures) | medium |
5.3
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| FI-FIO-AP | 3369680 | [CVE-2023-41369] External Entity Loop vulnerability in SAP S/4HANA (Create Single Payment application) | low |
3.5
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L |
| FI-FIO-AP-CHK | 3355675 | [CVE-2023-41368] Insecure Direct Object Reference (IDOR) vulnerability in SAP S/4HANA (Manage checkbook apps) | low |
2.7
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N |
